Page 3
1.1.12 (L2) Ensure that only organizationally managed/approved public groups exist (Manual)................. 45
1.1.13 (L2) Ensure that collaboration invitations are sent to allowed domains only (Manual) ..................... 48
1.1.14 (L2) Ensure that LinkedIn contact synchronization is disabled. (Manual)......................................... 50
1.1.15 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative
users. (Manual) ........................................................................................................................................... 52
1.1.16 (L2) Ensure the option to remain signed in is hidden (Manual) ........................................................ 55
1.2 (L1) Ensure modern authentication for Exchange Online is enabled (Automated) ................................ 57
1.3 (L1) Ensure modern authentication for SharePoint applications is required (Automated) ..................... 60
1.4 (L1) Ensure that Office 365 Passwords Are Not Set to Expire (Automated) ......................................... 62
1.5 (L1) Ensure Administrative accounts are separate and cloud-only (Manual) ........................................ 65
2 Application Permissions ...................................................................................................67
2.1 (L2) Ensure third party integrated applications are not allowed (Manual) ............................................. 68
2.2 (L2) Ensure calendar details sharing with external users is disabled (Automated) ............................... 70
2.3 (L2) Ensure Safe Links for Office Applications is Enabled (Automated) ............................................... 72
2.4 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled (Automated)
.................................................................................................................................................................... 77
2.5 (L2) Ensure Office 365 SharePoint infected files are disallowed for download (Automated)................. 79
2.6 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed (Automated)
.................................................................................................................................................................... 81
2.7 (L2) Ensure the admin consent workflow is enabled (Automated) ........................................................ 84
2.8 (L2) - Ensure users installing Outlook add-ins is not allowed (Automated) ........................................... 86
2.9 (L1) - Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed (Manual) ............... 89
2.10 (L1) Ensure internal phishing protection for Forms is enabled (Manual) ............................................. 91
2.11 (L1) Ensure that Sways cannot be shared with people outside of your organization (Manual) ........... 93
3 Data Management ..............................................................................................................95
3.1 (L2) Ensure the customer lockbox feature is enabled (Automated) ...................................................... 96
3.2 (L2) Ensure SharePoint Online Information Protection policies are set up and used (Manual) ............. 98
3.3 (L2) Ensure external domains are not allowed in Skype or Teams (Manual) ...................................... 100
3.4 (L1) Ensure DLP policies are enabled (Automated) ............................................................................ 102
3.5 (L1) Ensure DLP policies are enabled for Microsoft Teams (Manual) ................................................. 104
3.6 (L2) Ensure that external users cannot share files, folders, and sites they do not own (Automated) .. 107
3.7 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
(Manual) .................................................................................................................................................... 109
4 Email Security / Exchange Online .................................................................................. 113
4.1 (L1) Ensure the Common Attachment Types Filter is enabled (Automated) ....................................... 114
4.2 (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Automated) ................ 116
4.3 (L1) Ensure all forms of mail forwarding are blocked and/or disabled (Automated) ............................ 119
4.4 (L1) Ensure mail transport rules do not whitelist specific domains (Automated) ................................. 124
4.5 (L2) Ensure Safe Attachments policy is enabled (Automated) ............................................................ 126
4.6 (L1) Ensure that an anti-phishing policy has been created (Automated) ............................................. 128
4.7 (L1) Ensure that DKIM is enabled for all Exchange Online Domains (Automated) ............................. 131
4.8 (L1) Ensure that SPF records are published for all Exchange Domains (Manual) .............................. 134
4.9 (L1) Ensure DMARC Records for all Exchange Online domains are published (Manual) ................... 136
4.10 (L1) Ensure notifications for internal users sending malware is Enabled (Automated) ..................... 138
4.11 (L2) Ensure MailTips are enabled for end users (Automated) ........................................................... 141
5 Auditing ............................................................................................................................ 142
5.1 (L1) Ensure Microsoft 365 audit log search is Enabled (Automated) .................................................. 143
5.2 (L1) Ensure mailbox auditing for all users is Enabled (Automated) ..................................................... 145
5.3 (L1) Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly (Manual) ...................... 149
5.4 (L2) Ensure the Application Usage report is reviewed at least weekly (Manual) ................................. 151
5.5 (L1) Ensure the self-service password reset activity report is reviewed at least weekly (Manual) ...... 152